[Snort-devel] http_gunzip preprocessor

Frank Knobbe frank at ...2134...
Thu Jan 5 11:33:08 EST 2006


On Thu, 2006-01-05 at 14:12 -0500, Eric Lauzon wrote:
> Case where you wont see anything:

"Seeing" is not "detecting" ;)

> Let say you have this webpage using uuencoded javascript 
> to redirect you to a server where there is the WMF, even if the initial
> stream
> is "decompressed", where are you gonna be able to detect anything? 

While you could decode the javascript on the fly, you wouldn't need to.
You already have identified it as encoded javascript. Hell, go as far as
only detecting <script> and be done with it. You can't do that when the
page is gzip compressed in the HTTP stream. There is no <script>. If it
where uuencoded, you could potentially match on that (due to the nature
of the algorithm), but you can't do that with zip/compress/deflate
unless you follow it from the beginning, which means decoding on the
fly.

> One good example is :shellcode detection where after the birth of
> ADMmutate,ASCII shellcode encoding
> ,polymorphism , the only real way to detect shellcode is to have host
> based IDS that monitor process memory, process structure and Instruction
> Pointer.

Yet we had fnord.

> The scope of should be writing a portion of code for a specific case
> that
> just arised but has been exploited before why not think about an http
> module that
> can use sub preprocessor on the http stream this could then lead toward
> stream anomaly / state
> detection. 

I'm sorry, I'm not able to follow your sentence structure here. I *am*
talking about a module that sits behind the http_inspect thing and
further normalizes the stream.

> Im still convinced that most of the people wont read 
> and will then complain, thee other half will try but will encounter 
> huge performances issues.

How can you say that without even tried it? Please go do some analysis
of the compressed traffic actually present.

> Where is the trade off? A quick ""useless"" feature as of it wont help
> over other means of [...]

Useless to you perhaps.

Man, I'm sorry dude, I have to put on my plonker list. If you want to
discuss technical merits in earnest (which it doesn't look like), please
use a different address.

-Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20060105/bab7b371/attachment.sig>


More information about the Snort-devel mailing list